1. Spring 2013 SOLVE IT

2. An easy way to give out private information 2

3. Cell phone communicate through the air by radio waves with a base station Cell phones depend on areas, or cells, each with its own base station which can use the same frequencies of other cells The base station connects to the operator’s backbone network and the wider public telephone network as well as the networks of other mobile phone operators 3

4. The day when everyone has a PC in their pocket has arrived Annual growth rate is 150% Three things driving growth – Increasing amount of time we spend online whether business or pleasure Instant gratification-hard to wait to check messages or update status Lifestyle patterns, social networking 4

5.  1G Phones –  1G Phones – Analog telephones with no texting or messaging capabilities  2G Phones –  2G Phones – Digital telephones with personal communications services (PCS), like paging, caller ID and e-mail  3G Phones  3G Phones – Multimedia smart phones feature increased bandwidth and transfer rates to accommodate Web-based applications and phone-based audio and video files  4G Phones  4G Phones are available now  Feature real-time transfer rates 5

6. Billing Problems Stolen Data Malware 6

7. 7

8. Cell phone systems very quickly moved towards automated billing: Each cell phone is given a MIN/ESN pair. ESN: 32-bit serial number, “burned” into cell phone MIN: your phone number During call origination or registration, cell phone sends MIN/ESN pair to a base station for billing purposes. 8

9. Vulnerabilities: Scanners soon became cheap enough to intercept cellular radio channels. Since everything is sent unencrypted, could eavesdrop on conversations. Other privacy violations also possible, but less widely-exploited:  Can monitor identity of calling party and called party.  Can intercept any digits dialed on the keypad.  Rough location tracking also possible 9

10. By late-80's, scanners were mass-market consumer electronics. Available for $300 at your local Radio Shack Range: miles Usually captures only voice channel Congressional records indicate 10 – 15 million scanners in US (compare to 50 million cellphone users) Bottom line: it is likely that nearly everyone who has ever used a cellphone has had a call intercepted. More sophisticated attacks have occurred, but are not widespread. (e.g. location tracking) 10

11. Many attacks are in widespread use US industry loses about $650 million/year Perhaps 5% of all calls are fraudulent Types of Attacks  Subscription fraud  Phone theft  Tumbling  Cloning  Insider attacks (dealers, clerks)  Inter-provider fraud  Attacks on phone switches and other infrastructure 11

12. How to clone a phone: 12 1. Obtain a valid MIN/ESN pair (usually with the aid of a scanner) 2. Program it into your phone 3. Call for free

13. Black boxes to automate the whole process are widely available on the black market, sometimes at prices only slightly above the cost of a legitimate cellphone. Airports and highways are a favorite place to obtain hundreds of MIN/ESN pairs. Underground call-sell operations are huge profit centers. Many criminals love cloned phones for their anonymity. Often combined with tumbling, to make detection harder. Some thieves use captured MIN/ESN pairs only outside of home service area, since roaming makes detection harder. 13

14. 14

15. Mobile spy tools are applications that are installed onto a phone to send information out from the phone Typical example – an application that forwards all received SMS messages to a third party without the user’s permission These tools are not illegal in and of themselves Their vendors state that they must be used for only legal purposes In reality most of the use of these tools is illegal 15

16. The same people who use PC based spy tools Oppressive spouses and other domestic abuse cases Private investigators/divorce attorneys Managers monitoring their employees Industrial spies Some vendors sell both PC and mobile spy tools They give discounts if you buy both Spy both on your wife’s PC and her mobile phone 16

17. SMS and MMS traffic information and content including phone numbers and phone book names of both the sender and receiver E-mail traffic information and content SIM card information Call information Voice recording Call interception by setting up a covert conference call Physical location based on GPS data User key presses 17

18. Requirements: Purchase a tool such as SpyPhone or FlexiSpy 5 minutes physical access to the phone Monitor reports Delete all traces of the software 18

19. A German computer engineer deciphered and published the secret code used to encrypt most of the world’s digital mobile phone calls The action by the encryption expert, Karsten Nohl, aimed to question the effectiveness of the 21-year-old G.S.M. algorithm, a code developed in 1988 and still used to protect the privacy of 80 percent of mobile calls worldwide. (The abbreviation stands for global system for mobile communication.) 19

20. In March 2006, a big scandal shocked Greece when it was discovered that the mobile phones of more than 100 high-profile politicians (including the Greek prime-minister, minister of national defense and minister of foreign affairs), diplomats and many others were illegally intercepted for several months (from June 2004 to March 2005) The person who did this was discovered hanged in his apartment in Athens 20

21. In February 2008, a scandal was uncovered when Detroit’s Mayor was discovered to be involved in an affair with his chief of staff both of them denied the allegation and lied under oath about it. The main evidence against them was the text messages, which the phone operator had been storing for years. 21

22. Verizon Wireless fired an unspecified number of employees for accessing President Barack Obama’s old cell phone records without permission. An hacker known as “K Dollars” camouflaged himself to the cell phone operator as being the legitimate owner of Miley Cyrus’s account he received her data Her cell phone was also hacked into and some stored pictures was posted and distributed on various websites 22

23. Hackers succeeding in downloading Paris Hilton’s video, text and data files from her Sidekick cell phone. It began with social engineering, when one of the hackers was able to get a user name and password for the Web site used by T-Mobile to manage customer accounts The hackers then used the secure web site to lookup Hilton's phone number and reset the password for her account, locking her out of it. Then the hackers downloaded all of her stored video, text and data files and posted her address book on the Internet. 23

24. It is simple to access stored information from seemingly locked phones. It was exposed that an unauthorized user can exploit the inherent security flaws in the phone by simply double-pressing the button to make an emergency call. This brings up the user's preferred contacts and clicking on a number provides full access to the phone's features. Furthermore, clicking on an e-mail provides access to all e-mail and clicking on a contact name provides full access to all contacts data. 24

25. DANGERS OF PHISHING 25

26. Phishing - attempt to acquire sensitive information, like bank account information or an account password, by posing as a legitimate entity in an electronic communication 26

27. 27 Sends email: “There is a problem with your eBuy account” User clicks on email link to www.ebuj.com. password? User thinks it is ebuy.com, enters eBuy username and password. Password sent to bad guy

28. Email Phishing e-mails can appear to come from legitimate institutions such as your bank, e-commerce site, credit card company, etc., but they really come from a criminal trying to steal information Web Site If you follow a link from an email or from an untrustworthy web site, it may take you to a site clone that records your information before logging you into the real site IM With IM phishing, you will get an IM from someone claiming to be support for your IM provider, asking you for account information 28

29. 29

30. 30

31. A statement that there is a problem with the recipient’s account at a financial institution or other business. The email asks the recipient to visit a web site to correct the problem, using a deceptive link in the email. A statement that the recipient’s account is at risk, and offering to enroll the recipient in an anti-fraud program. 31

32. A fictitious invoice for merchandise, often offensive merchandise, that the recipient did not order, with a link to “cancel” the fake order. A fraudulent notice of an undesirable change made to the user’s account, with a link to “dispute” the unauthorized change. A claim that a new service is being rolled out at a financial institution, and offering the recipient, as a current member, a limited-time opportunity to get the service for free. 32

33. 33

34. 34

35. 35 Credit: Collin Jackson

36. 36 Phishing Email sent portraying Bank of America, Military Bank Entices the user to complete a survey and receive a $20 or $25 credit

37. Reconstructed the social network by crawling sites like Facebook, MySpace, LinkedIn, Friendster Sent 921 Indiana University students a spoofed email that appeared to come from their friend Email redirected to a spoofed site inviting the user to enter his/her secure university credentials Domain name clearly distinct from indiana.edu 72% of students entered their real credentials into the spoofed site (most within first 12 hrs) Males more likely to do this if email is from a female 37

38. DON’T CLICK THE LINK Type the site name in your browser (such as www.paypal.com) Never send sensitive account information by e- mail Account numbers, SSN, passwords Never give any password out to anyone Verify any person who contacts you (phone or email). If someone calls you on a sensitive topic, thank them, hang up and call them back using a number that you know is correct, like from your credit card or statement. 38